Mutually Unbiased Bases, Generalized Spin 
Matrices and Separability 

Arthur O. Pittenger 
Department of Mathematics and Statistics 

Morton H. Rubin 
Department of Physics 

University of Maryland, Baltimore County 
Baltimore, MD 21250 
pittenge@math.umbc.edu 
rubin@umbc.edu 

August 25, 2003 

Abstract 

A collection of orthonormal bases for a complex d- dimensional Hilbert 
space is called mutually unbiased (MUB) if for any two vectors v and w 
from different bases the square of the inner product equals 1/d: \{v,w)\^ = 
i. The MUB problem is to prove or disprove the existence of a maximal 
set of d + 1 bases. It has been shown in W. K. Wootters and B. D. Fields 
(1989, Annals of Physics, 191, 363) that such a collection exists if d is 
a power of a prime number p. We revisit this problem and use d x d 
generalizations of the Pauli spin matrices to give a constructive proof 
of this result. Specifically we give explicit representations of commuting 
families of unitary matrices whose eigenvectors solve the MUB problem. 
Additionally we give formulas from which the orthogonal bases can be 
readily computed. We show how the techniques developed here provide a 
natural way to analyze the separability of the bases. The techniques used 
require properties of algebraic field extensions, and the relevant part of 
that theory is included in an Appendix. 
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Keywords: Mutually unbiased bases, Generalized spin matrices 

1 Introduction. 

Let H denote a complex d-dimensional Hilbert space and p a density matrix 
modeling a d-level quantum system. Then p is a positive semidefinite, trace one 
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matrix and as such is Hermitian and is determined by — 1 real numbers. A 
laboratory device that measures p is represented by a Hermitian matrix A = 
^kPk, where {Pfc:l < fc < n} is a set of rank one mutually orthogonal 
projections. (In Dirac notation Pk denotes the outer product \vk) {vk\ of the 
eigenvector \vk)-) If the eigenvalues are distinct, A is called non-degenerate, 
and the non-negative values pu (p, A) — Tr [pPk] can be estimated by repeated 
experiments. Since X^fcPfe (Pi ^) — 1; ^''^^ obtains d — \ independent pieces of 
information, and a minimum oi d + 1 such well designed experiments would be 
required to recover the density p. 

The problem of mutually unbiased bases (MUB) refers to the theoreti- 
cal possibility of defining d + 1 such bases with the additional property that 
Tr (PJP^) = 2 for any pair of projections associated with different experimen- 
tal configurations, labeled by r and s. Such a collection of bases provides an 
optimal way of estimating p, and we refer to jlB) for a discussion of that feature. 

As an example, for a two-level system there is such a set of bases that can 
be represented in terms of the usual Pauli matrices, 

^ ( i ! ) ^ ( 1 ) ^ ( ^ V ) ^ ( -1 ) ■ 

The three sets of projections (ctq ± (Ta,)}, (co ± cry)}! and (ctq ± c^)} 
correspond to measurements along the three spin axes of a two-level system. 
The existence of such bases for d = p, p a prime, was first established in ^ and 
was extended to d = in jJSj. Recent papers on the subject include mUl, 
that discuss the general case, and [S], that works in the context of d = 2". To 
the best of our knowledge, there are no definitive results for other values of d. 

While writing up our results, we attended a talk by Bill Wootters, who 
outlined a different approach to the problem of mutually unbiased bases and who 
brought 21 to our attention. Although the motivations of the two approaches 
appear to be quite different, they require the same mathematical tools and 
appear to lead to the same results. An interesting question is the relationship 
between the two approaches. 

Our interest in this problem was stimulated by the following result in p^. 

Theorem 1.1 (f^ Thru 3.2) Suppose that one has d^ unitary matrices orthog- 
onal in the Frobenius or trace inner product, one of which is the identity matrix. 
Suppose further that these matrices can be grouped into d + I classes of d com- 
muting matrices and that the only matrix common to two different classes is the 
identity. Then there is a set o/ d -f 1 mutually unbiased bases. 

Motivated by the observation that the Pauli spin matrices can be derived 
as a Hadamard transform of certain basis matrices, we defined in |1L)| a family 
of d^ matrices that are orthogonal with respect to the trace inner product. 
Accordingly we refer to them as (generalized) spin matrices. Although that 
approach seems to have been novel, these matrices have appeared earlier in the 
literature, for example in [5] and [3| and references therein. They were also used 
in p. 
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In addition to providing an algorithm for deriving explicit solutions to the 
MUB problem for d = p", a major goal of this paper is to emphasize the utility of 
the indexing of the generalized spin matrices. In fact, by interpreting the indices 
as vectors we are able to put the MUB problem into the context of a vector space 
over a finite field. Moreover, we can also use the indexing and results in ^U] to 
write each mutually unbiased basis defined by a set of commuting matrices as 
a weighted sum of those matrices. 

In Section 2 we define the generalized spin matrices and record a number of 
the properties given in ^U] . In Section 3 we use the notation of the generalized 
spin matrices to facilitate a detailed solution of the mutually unbiased bases 
problem when = p is an odd prime. A basic idea used in that solution reap- 
pears in the next two sections. In Section 4 we show how the use of (algebraic) 
field extensions produces a solution for d = and set the stage for Section 5, in 
which we give a constructive algorithm for solving the MUB problem explicitly 
in the general case oi d — p"" . In Section 6 we define the notion of separability 
of a basis and show how the separability of the derived bases is related to the 
index notation. To improve the readability of the paper, we have deferred many 
of the technicalities to the end of the paper. Thus the Appendices provide the 
details for computing the projections associated with a class of commuting spin 
matrices, the formal mathematics underlying the results in Section 4, and the 
theoretical foundation for the algorithm illustrated in Section 5. 

It is important to emphasize that our methodology gives a specific solution 
of the MUB problem for d — p"^. Once such a solution is in hand, there are many 
ways to construct other mutually unbiased bases, such as using conjugation by 
a unitary matrix. 

Finally a word about notation. Throughout the paper we use the letters j, 
fc, a, b to denote the elements of Zd^ the integers modulo d. The letters u, v, 
and z denote vectors in V2 {F), the two dimensional vector space over a field 
F , and w denotes a vector in V2n {Zp), the 2n-dimensional vector space over 
Zp, where p is a prime. The Greek letters a, (3 are reserved for elements of the 
Galois field GF (p"). 

2 Generalized spin matrices 

In what follows d denotes the dimension of the finite dimensional complex- 
Hilbert space i7, and the unitary matrices acting on H are indexed by sub- 
scripts u — {j,k), with the two forms of indices used interchangeably. Let 
j = 0, • • • , d — 1} be a fixed orthonormal basis of H . We will have occasion 
to use vector addition of indices, and such addition will be addition modulo d. 
rj denotes the complex number exp(27ri/d), and it is easy to confirm that for 
integers h such that rf^ ^ 1 
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Definition 2.1 Let 0<j,k<d. Then Sj^k = Emio V'"^ l^> + ^1- 

It is easy to confirm that Tr{Sj^k) = unless Sj^k — S'o.Oi the dx d identity 
matrix. A key property is that this set of matrices is closed under multiplication, 
up to scalar multiples of powers of rj. 

Lemma 2.2 Sj^kSa,b = r]^"' Sj+a,k+b- Thus, Sj^k and Sa,b commute if and only 
if ka = jb up to an additive multiple of d. 

Proof. Using the obvious notation, 

d-l d-1 

Sj,kSa,b =J2Y1 ^'"'+""^(™ + k, n) \m) {n + b\. 

m=0 n=0 

lfm + k<d— l,n^m + k gives the only non-zero factor. If m + k > d, 
n = m + k — d gives the only non-zero factor. Since rj'^ = 1, we have Sj^kSa,b = 

V'"' El~io r?""^^"^"^ \m) {m + k + b\ . □ 

Some useful relations follow immediately, with (Hi) established by induction. 
{So,i and ^i^o are generators of the set {Sj^k} and reduce to ax and cr^ when 
d = 2.) 

Corollary 2.3 (i) 5o,i5i,o = vSi,i = r?5i,o^o,i, (n) Sj,k = (5i,o)' (^0,1)'' , 
(Hi) 

{Sj^kr =rj'''^'^)Smj,mk (2.4) 
where (™) = for m = or 1. 

We next establish that these matrices are unitary and are also orthogonal to 
one another with respect to the Frobcnius inner product on the space of d x d 
complex matrices, {A,B) = tr{A^B), where is the Hermitian conjugate of 
A. 

Lemma 2.5 {Sj,k)^ — rj^^ S-j^-k- For each u, Su is unitary, and 



Tr 



if u ^ V. 



Proof 



d-1 d+k-1 
m=0 n=fe 

Let u = {j, k),v = (a, b); then 

{Su)^ Sv — '7"' S^j, — kSa,b — f] ^ Sa—j^b—k- 

This has trace zero if u ^ v, and if u = u, we get the identity, so that Su is 
unitary. □ 
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It follows that {Su ■ u — (j, fc)} is a set of cP unitary matrices that forms an 
orthogonal basis for the space ofdxd matrices and is closed under multiplication, 
up to multiples of powers of rj. Thus they can be regarded as analogues of the 
Pauli spin matrices, hence the terminology generalized spin matrices. 

One doesn't quite recover the Pauli matrices through this procedure. In fact 
when d — 2, one has 5*0,1 = CTx, S'l^o — cFz, but 5*1,1 — io-y in order to fit into 

1/2 

the general framework. The missing factor oi i — (—1) reappears when we 
define the projections associated with these unitary matrices. 

Such orthogonal families of unitary matrices play a key role in quantum in- 
formation theory, as elaborated in ^Jj, and, as established in Theorem ll.il they 
are closely related to solutions of the MUB problem. The proof of Theorem ll.il 
uses the fact that commuting unitary matrices can be simultaneously diagonal- 
ized, and the bases related to the different classes have the MUB property. The 
orthogonality of the unitary matrices is crucial to the analysis, and thus the 
connection to the generalized spin matrices is immediate. Our problem then 
reduces to finding commuting classes, and the characterization of commutativ- 
ity in terms of the indices enables us to rephrase the problem as a vector space 
problem over a finite (algebraic) field. By using this specific class of orthogonal 
unitary matrices, we are also able to give explicit formulas for the projections 
defined by the basis vectors. 

3 Spin matrices and the MUB problem for d 
prime 

We begin with the case when d = p is a prime. As we have seen, 5j,fc and Sa.b 
commute if and only if ka — jb mod p. We recast this condition in the context 
of a vector space over the finite field Zp, the integers modulo the prime p. Let 
V2{Zp) = {(j, fc) : j,k G Zp}, and define a symplectic product: 

u o u' = kj' — jk' mod p (3-1) 

where u = (j, k) and u' — (j', fc'). Thus, Su and Sv commute if and only if the 
symplectic product of their vector indices equals zero. 

Once we have the classes of commuting matrices, we can make a direct 
computation (or invoke Theorem 1.1) to argue the existence of a complete set 
of mutually unbiased bases. We can construct these bases explicitly in terms of 
the spin matrices as follows. 

Proposition 3.2 Let a G Zp and define 

Ca = {6(l,0) + 6a(0,l)=6(l,a):6eZp} 
Coo = {h{Q,l):heZp}. 

There are p vectors in each of these p + 1 classes and Cr CiCg = {(0, 0)} for all 
r s in I = {0, 1, ... ,p — 1, oo} . If u,v are in Cr, then u o v — 0. 
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Proof. The vectors e — (1, 0) and / = (0, 1) arc linearly independent with 
/ o e = 1 and e o e = / o / = 0. If 5 (1, a) = 5 ^1, a ^ , then b = b and if 6 ^ 0, 

a = a . This proves the first assertion for the Ca classes. Using the linearity of 
the symplectic product, 

[b (1, a)] o [c (1, a)] = be (1, a) o (1, a) = 0. 

The same arguments work for Coo- D 

The Ct can be thought of as lines in a two-dimensional space. In addition 
the vectors in Ct can be written as a multiple of a single vector ut = {jt, kt), 
and Ct is an additive subgroup of V2{Zp). The matrices associated with Ct are 
{SnutT^ < n < p}; they commute but do not form a multiplicative subgroup of 
the unitary matrices by virtue of CoroUarv 12.31 (Hi). We nonetheless consider 
to be the "generator" of {Snut j < n < p} with the understanding that it 

is Snut: not (Sut)^ — ?7""'^*^^-''S'„tit that is in the class. 

Theorem 11.11 guarantees that the orthonormal eigenvectors for each class 
solve the MUB problem, and we can use the indicial notation to express the 
associated orthogonal projections explicitly in terms of the unitary matrices 
|1(J) . We begin with a definition that is valid for all d and is required to handle 
the computations in general. 

Definition 3.3 Let < j, k < d and u — (j, k). If d is even and both j and k 
are odd, set a„ — — exp(7ri/d) = —77^/^. Otherwise set Uu — ^. 

For example, for d — 2 and j = fc = 1, Q!„ = ~i. In general, for d > 2, 
airjMi) = 1. 

Definition 3.4 For each u — (j, k) ^ (0, 0) and < r < d, define 

= d E MSuT , (3.5) 

m— 

where {auV'^Suf = Sq^. 

Proposition 3.6 For d a prime, {P„ (r) : < r < d} is a complete set of mu- 
tually orthogonal projections. 

It is easy to check that Pui'r) has trace one and that 

d-i 

{auV'^Su f = {m + r), (3.7) 

f [TU). equation (13)). We need to confirm that the P„ (r)'s constitute a set of d 
orthogonal, one-dimensional projections, and we provide the details in Appendix 
A. 

As just noted, the indices of members of a commuting class are multiples of 
a vector ut. Thus if u = but, then P„ (r) should be P^^ (s) for some s, and we 
confirm that fact next. 
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Corollary 3.8 If p > 2 is prime and u = but = h{jt,kt) with 2 < b < p, 
then Pu (r) — (s), where s — b^^ (^r — jtkt{2)^ '^"'^ ^■^ multiplicative 
inverse of b modulo p. 

Proof From (iii) it follows that (Su)"" = rj-^^^Ml) {SuJ''^ ■ Hence 

^ d-l d-1 
m— n— 

where we made the substitution n — bm mod p. □ 

We now show that Tr [P„ (r) P„/ (s)] = l/d, where it sufRces to take u = 
(l,a) and u' — (l,a') as representatives of different classes Ca- In general 

Pu (r) Pu' (S) = 4 E E ""^""^"-"("^^'^y'^+^'^^^^mu^W, 

and we see that the only contribution to the trace is for mu + nu' — (0, 0) mod p. 
(Again, (™) is taken to be zero if m = or 1.) This means that m and n satisfy 

Since a ^ a', only m = n = satisfy the equation. Hence Tr [Pbu {f) Pvu' (s)] = 
1/d as required. The details for Coo are similar. We now have proved the 
following theorem that recaptures the basic result of 5 . 

Theorem 3.9 // p is prime, there is a complete set of p + I mutually unbi- 
ased bases Ba, < a < p, and Boo that are the normalized eigenvectors of 
the corresponding sets of commuting spin matrices {Sb,ba '■ b G Zp} <-> Ca and 
{5'o,f, : b £ Zp\ ^ Coo- These bases can be computed from the projections in eq. 

Example: The classes for d ^ 2 are {5*0,0: ^l o}, {^o^oi -S'l.i}, and {5o,07 -So^i}, 
where ^ — cTz, Sq^i — a^, and Si i = iay. The MUB's are determined by 
the projectors ^ (cto ± Cz), | (ctq ± (Jy), and ^ (cto i a^) from (|3.5|) . The factor 
ai,i = — i is needed to recover the projections ^ (ctq ± cry) from the general 
formula. 

We obtain four classes of commuting spin matrices for d — S and can repre- 
sent them in a 3 X 3 table, where the row index denotes j and the column index 
k in Sj^k- Similar tables can be constructed for larger values of p, and in a finite 
geometry interpretation the classes Cr determine lines intersecting only at the 
origin. 








1 


2 







Coo 


Cod 


1 


Co 


Ci 


C2 


2 


Co 


C2 
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An additional feature of the spin matrices allows one to express estimates of 
the components of a density p in the original fixed basis in terms of measure- 
ments in the MUB bases. We sketch the idea. Assume d = p and express the 
density matrix as 



1 

P = - 
P 



p-i 

j,k=0 



tei jjeCt-{(o,o)} 



where / = {0, 1, ... ,p — 1, oo}. From the orthogonality of the spin matrices and 
their representation in terms of the projections of their commuting class, we 
know that 



Su = Tr (SIp) = a„ ^ ?7"p„ (m) 



(3.10) 



where p„ (m) = Tr [P^ (m) p) . A measuring device M„ may be characterized by 
{P„(m), < m < p}. If the system is in a state modeled by the density p, 
determines the probability, p„(to), of the outcome m. The experimental results 
of measurements over an ensemble of systems give estimates for these probabil- 
ities and, by H^.lOfl . estimates for all of the spin coefficients with indices in that 
commuting class. Since the spin coefficients themselves are Fourier transforms 
of entries of p in the original basis (^OIj equation (11)), it follows that an esti- 
mate of p in this basis can be expressed explicitly in terms of measurements in 
the MUB bases. For a more complete discussion of the estimation problem see 



4 The MUB problem for d = p^, p an odd prime 

It was shown in that the MUB problem can be solved for powers of primes. 
We give a concrete construction based on algebraic techniques and motivated 
by the results in the preceding section and Theorem 1.1. This requires a cer- 
tain amount of abstract algebra, and we present the special case oi d = to 
illustrate the results and the ideas. (The case p = 2 requires a modification 
of the approach used here and is discussed in the next section.) However, the 
basic strategy is the same as before. We use the indices of the spin matrices to 
encode commutativity and techniques of vector spaces over finite fields to define 
the appropriate classes. The actual MUB bases can then be recovered from the 
classes of commuting spin matrices. 

We are working with tensor products of the form S^, where commuta- 
tivity is again encoded by the indices so that (EiSy-^ commutes with 5„2 'E>Sy2 
if and only if 

ui o U2 + vi o V2 — mod p, 

where u = {j,k) and v — (a, 6). It is now useful to consider vectors in a four 
dimensional vector space over Zp, V/^iZy) — \w — {j,k,a,b) — (u,v)}, and to 
define the symplectic product on the four dimensional space as 

Wi O W2 = Ui O U2 + Vi O V2. (4.1) 
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The first two indices in w correspond to the indices in the first factor and the 
second two indices correspond to the second factor in the tensor product Su^Sy. 

The solution to the problem of finding the commuting classes of spin matrices 
now reduces to finding the classes of vectors w that satisfy wi o W2 = 0. A 
technology for doing this is discussed in Appendix C. Here we simply give the 
results. 

For p an odd prime, the procedure to define classes of four-vectors with 
symplectic products equal to zero requires a particular non-zero integer D in 
Zp . D is defined by the requirement that D ^ mod p for all k in Zp , i.e. D 
is not a quadratic residue of p. 

Theorem 4.2 Letp be an odd prime. Then commuting classes of spin matrices 
are indexed by the following subsets of V4 {Zp) : 

Cao,ai = {(26o, aobo + aibiD, 2biD, 0061 + ai6o) : bo, bi G Zp} 
Coo = {{0,bo,0,bi) ■.bo,biG Zp}, 

where ao,ai e Zp and (ii, fci, j2, ^2) corresponds to Sj^^ki ® 'S'j2,fc2- C'ao.oi o- 
subspace ofV4,{Zp) with basis 

Gao,ai = {(2, ao, 0, ai), (0, aiD, 2D, ao)} 

and Coo has the basis Goo = {(0, 1, 0, 0), (0, 0, 0, 1)}. 

The structure of Caa,ai is hardly an intuitive result, but we take it as given 
and confirm the desired properties. There are + 1 such classes. We claim 
that each class has p"^ members, that wi ow2 = for vectors in the same class, 
and that the only vector common to any pair of classes is (0, 0, 0, 0). If so, then 
the classes partition V4 {Zp) — {(0, 0, 0, 0)} as required. 

The verification of these three properties is quite easy, and we leave the 
details to the reader. We should note, however, that in checking the last property 
we are led to the equations 

aobo + aibiD = agbo + a^biD 
aobi + aibo = a^bi + a^bo, 

where ao, ai and Qq, Qi denote indices of the first type of class and 60 7^ ^ 61. 
This system can be rewritten as a matrix equation 

f bo biD \ f ao-% \ ^ f \ 
\b^ bo J\ai-a[ J \0 J 

that has only the trivial solution provided b^D ^ 6g mod p. Since = D is 
not solvable in Zp, all of the properties hold and we have classes of commuting 
spin matrices of the form S2bo,aobo+aibiD ® 5'26i£),ao6i+aif)o indexed by ao and 
ai. The matrices associated with Coo have the form So,bo So,bi- 
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We can always find such values D. For example, ifp = 3,D = 2;ifp = 5,D 
can be 2 or 3; and ii p = 7, D can be chosen to be one of 3, 5, or 6. The reason 
for this is clear. The square of x and of its additive inverse p — x are equal in 
Zp. It then follows that there are {p — 1) /2 choices for D. This argument fails 
when p = 2, and we need to modify the methodology to handle that case. 

The analysis can be illustrated in 14 {Zp). For example, if p = 3 a complete 
set of mutually unbiased bases corresponds to the 10 classes of commuting spin 
matrices defined by the recipe above. We represent the result in a grid whose 
row label is jij2 and whose column label is fcifc2- The entries are Caaai- 





00 


01 


02 


10 


11 


12 


20 


21 


22 


00 




Coo 


Coo 


Coo 


Coo 


Coo 


Coo 


Coo 


Coo 


01 


Coo 


Clo 


C20 


Co 2 


C12 


C22 


Coi 


Cii 


C21 


02 


Coo 


C20 


Clo 


Coi 


C21 


Cii 


Co 2 


C22 


C12 


10 


Coo 


C02 


Coi 


C20 


C22 


C21 


Cio 


C12 


Cii 


11 


Coo 


C21 


C12 


Cii 


C02 


C20 


C22 


Cio 


Coi 


12 


Coo 


Cii 


C22 


C12 


C20 


Coi 


C21 


C02 


Cio 


20 


Coo 


Cqi 


Co 2 


Cio 


Cii 


C12 


C20 


C21 


C22 


21 


Coo 


C22 


Cii 


C21 


Clo 


Co 2 


C12 


Cqi 


C20 


22 


Coo 


C12 


C21 


C22 


Cqi 


Cio 


Cii 


C20 


Co 2 



The identity 5o,o ® Sq,o lies in all the classes and each of the remaining 9^ — 1 
tensor products is in exactly one class. If this grid of 81 points is considered as 
a plane, then the set of points corresponding to two classes can be thought of 
as lines that intersect at only one point, the origin. This representation gives 
some indication of the finite geometry implicit in the analysis. (In particular, a 
set of translations of a fixed class partitions the entire grid.) 

We used properties of finite fields to obtain the commuting classes described 
in Theorem 14.21 and in Appendix C we define the methodology for d = p^ that 
generalizes to the case when d = p"^ . There are two basic ideas. The first is to 
use the form of the construction of the classes when d = p but over an extension 
of the field Zp, the Galois field GF {p^)- This produces commuting classes Ca 
of V2 [GF (p^)), where a G GF (p^)- The second idea is to map these classes 
isomorphically to V4 (Zp) in such a way that the symplectic product of the two- 
dimensional vector space over the extended field is related to the symplectic 
product of the four-dimensional vector space over the smaller field. 

5 The MUB problem for d = p^, p prime 

The MUB problem for d = p" can be solved in a way similar to that used in the 
special case treated above using suitable generalizations of the methodology. 
A complication is that one cannot write down an explicit form of a function 
/ (x) that plays the role of x^ — D when n — 2 and works in all cases when 
p > 2. Instead, we must take as given / (x) with the properties summarized in 
Appendix D and compute it in specific cases. 
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Specifically, we are guaranteed the existence of a finite field GF (p") that 
contains Zp and whose elements can be represented with the help of a polynomial 
/ {x) of degree n that is irreducible over Zp and has n distinct roots in GF (p"). 
The first step is the analogue of Proposition IC.ll and the proof follows the 
reasoning used in the proof of Proposition l3.2l 

Let V2 {GF{f')) ^ {u= ia,P) : e Gi^(p")} and define the symplectic 
product: 

uo u' = Pa' — a/3'. 

Proposition 5.1 Let a e GF{p") and define subsets of the vector 
space V2 {GF{p")): 

Co = {/3(l,0)+/3a(0,l) = /3(l,a) :/3eGi^(p")} 
= {/3(0,1) :/3eGF(p")}. 

Then these arep'^ + 1 sets, each of which has p^^ vectors with only (0,0) common 
to any two sets. If u and v are in the same set, u o v = 0. 

In Appendix D we provide the technical structure that justifies the following 
theorem. The general argument follows the proof in the d = p^ case, and we 
omit the details. 

Theorem 5.2 The elements 0/ V2 {GF (p")) can be written as vectors in a 2n- 
dimensional vector space over Zp. Let {ej, fj.O<j< n} denote the 2n linearly 
independent vectors defined in Appendix D, which satisfy Tr (cj o /j.) = S (j, k) . 
The symplectic product in V2 (GF (p")) is denoted by " o and Tr is the trace 
operation. Using indexing beginning at 0, let M denote the linear mapping that 
maps Cj to the 2n-vector in V2n (Zp) with a I in position 2j and zeroes elsewhere 
and maps fj to the vector with a 1 in position 2j + 1 and zeroes elsewhere. 
Then for every vector u G V2(Gi^(p")) we have w = M{u) G V2n{Zp), and the 
symplectic products are related by 

wi o W2 = Tr {ui o U2) . 

Commuting classes of vectors Ca in V2 {GF (p")) map to commuting classes 
of vectors in V2n (Zp), and, consequently, define commuting classes of tensor 
products of spin matrices. 

Here is the way to apply this theorem in specific cases, given p, n, and an 
irreducible polynomial / without multiple roots that generates GF (p"): 
Step 1: Given a (symbolic) root A of 

n-l 

/(A) = A" + ^c,A^ = 0, 

A:=0 

find all n roots in terms of A. (If / is a primitive polynomial, the theory guar- 
antees that the roots have the form A^ ,0<t<n — 1.) 
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Step 2: Compute a set of coefficients dk (A) from 

/ (A) - (x - A) (d„-ix"-i + --- + dix + do). 

Tlie dk (A) can be written as symmetric functions of the roots and = 1. 
Step 3: Compute tlie inverse of / (A) as an element in GF (p"). 

Step 4- Define the bases fk = A*" (0, 1) and its dual Cfc = dk (A) (^f' (A)^ (1, 0) . 

Step 5: For each a = ao+aiA + ...a„_iA"~^ in GF (p") , express vectors in 
Coi as a linear combination of the e^'s and fkS with coefficients in Zpi 

n— 1 / n — 1 \ n — 1 

b,\= (1, Q) + Y. (0' 1) = E (^^^^ + y^fo) ■ 

J=0 \ j=0 J j=0 

5iep 6: The class corresponding to Ga and the corresponding set of com- 
muting spin matrices are 

Cao-a„^i = {ixo,yo,Xi,yi, . . . ,Xn-l,yn-l)} 

The associated projections can be computed using the methodology described 
in Appendix B. 

To illustrate these theoretical results and the algorithm described, we first 
show that the machinery used in the case d = is indeed a special case of the 
general result. Since / (x) — x^ — D = {x — X) {x + X), do = A and di = 1. 
From /' (A) = 2A and (2A)"^ = X{2Dy^, we have eo = (1,0) and ei = 
A(2i:>)"^ (1,0). As usual /o = (0,1) and /i = A (0,1). This is the structure 
used in Appendix C to derive Theorem 14.21 

Example 1 : For two qubits, p = n = 2, an appropriate polynomial is / (x) = 
x'^ +x + 1. Then /' (x) = 1. If /(A) = 0, then A^ = A + 1 is the second root, 
giving di = 1 and do — A^, since x"^ + x + 1 — {x — X){x — {X + 1)). Then 

eo = A2(l,0) ei = (l,0) /o = (0, 1) /i = A (0, 1) . 
The five classes of vectors in V2 {GF (2^)) indexed by a = oq + aiA are: 

Go = {(0, 0), (1, 0), (A, 0), (A2, 0)} = {0, ei, eo + d, eo} . 

In the remaining classes we omit the vector. 

Ci = {(1,1),(A,A),(A2,A2)} = {ei + /o,eo + ei + /i,eo + /o + /i} 

CA = {(l,A),(A,A2),(A^l)} = {ei + /i,eo + ei + /o + /i,eo + /o} 

C7a2 ={(1,A2),(A,1),(A2,A)} = {e, + /o + /,,eo + ei+/o,eo + /i} 

Coo = {(0,1),(0,A),(0,A2)} = {/i,/o + /i,./o}. 

If one plots each of the Ga as four points in V2 [GF (2^)), using as coordinates 
the elements of GF (2^), one obtains the left hand plots in [^Hli Figure 6]. The 
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remaining plots are obtained by translation and the result is a partition of the 
plane since "parallel" lines don't intersect. Under the mapping M, 



Co- 


Cq,q 


= {(0000) , (0010) , (1010) , (1000)} , 


Ci - 




= {(0000) , (0110) , (1011) , (1101)} , 


Cx - 


Co,! 


= {(0000) , (0011) , (1111) , (1100)} , 


Cx2 - 




= {(0000) , (0111) , (1110) , (1001)} , 


Coo " 


^ Coo 


= {(0000) , (0100) , (0001) , (0101)} , 



where we abuse the notation in the last set. We can write these in terms of the 
spin matrices, but it looks more familiar using Pauli matrices. Omitting the 
identity ctq (Tq, the classes are 



Co A ^ Wo iOy,i(jy (t 



1(7 y ^ 1/(7 ' 



' O-q} 
'CTo} 



^1,0 

Ci,i 



{dx 



i(Ji, , icr„ 65 CTx } 



Coo ^ Wx ® O-Q, (To ® CFxj'Tx (8 CTx} ■ 



We discuss the associated projections in the next section. 

Example 2: For three qubits, p = 2 and ?i = 3, there are two primitive 



polynomials. We take / (x) = x'^ 



-1. If A is a root, so are and A** = A+A^. 



/'(A) = A^ + l and (A^ + l)-! = A. Froma;3 + a; + : 
we get 

eo = (l,0) ei = A2(l,0) 63 



= {x-X){x^ + Xx + X^ + l), 
A (1,0). 



We can summarize the subsequent analysis by writing out the classes CaQaia2 
or the sets of associated spin matrices, (|5.3|) . A more compact summary follows 
from the observation that each class Caoaia^ is a subspace of 1^5(^2) with a basis 
of three vectors defined by setting one of the Xj = 1 and the other x's to zero. 
The basis for Coo is obtained by setting one of the yj = 1 and the others to 



i bases by Gaoaia2 we 


obtain: 




Cqoo 


= {(100000) 


(001000), 


(000010)} 


Cioo 


= {(110000) 


(000110), 


(001001)} 


Gqio 


= {(100100) 


(000011), 


(011100)} 


Clio 


= {(110100) 


(000111), 


(011101)} 


Gooi 


= {(100001) 


(010110), 


(001101)} 


Gioi 


= {(110001) 


(010010), 


(001100)} 


Coil 


= {(100101) 


(010111), 


(011001)} 


Gill 


= {(110101) 


(010011), 


(011000)} 


Goo 


= {(010000) 


(000100), 


(000001)} 



The spin matrices associated with the generators can be determined using H5.3() . 
For example, the set of matrices associated with the set of indices generated by 
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Goio is 



{tTo (X" CTq (g) (To, (g) (T^ ® (To, CTj: (g) lO-j^ ® CTo, ICry (Tz ® ^o, 
Co (8) CTq g) ZtTy, tTz g) (Ta; (g i<7y,ax (8) icTy g) ZtJy, idy (g) (Tz ® i'^y} ■ 

Again we defer the discussion of the associated projectors to the next section. 

6 Separable measurements 

If d = p", the basic Hilbert space H can be represented as an n-fold tensor prod- 
uct i?i (g) • • • ® Hn and each factor can be associated with a distinct subsystem. 
If a projection P factors as Pi (g) • ■ • (g P„ compatible with the representation 
of H, then measurements can be made by coordinating local measurements at 
the n different sites. One calls such a projection completely separable. The 
generalization of this idea is that 

P = F(/i)®---®P(/„,) 

where the Ik are disjoint sets of indices such that /i U • • • U /,„ = {1, . . . , rt}. A 
projection factoring this way is called (Ji, . . . , /m) separable. In this case the m 
subsystems can be measured separately without loss of information. If P has no 
such factorization, we say it is completely inseparable. Separability properties of 
bases were discussed in some of the earlier work, jS| for example. The notation 
here facilitates a systematic analysis. Just as the commutativity of the spin 
matrices is encoded in the indices, the nature of separability of the mutually 
unbiased bases is also encoded in the indices. For example, let n = 2 and let 
p be odd and consider the set Cao,o — {(2foo, oo^o, 2&1-D, ao^i)} of indices from 
Section 4. In the notation of Appendix B, ui — (2, uq), U2 — (0, 0), vi = (0, 0), 
and V2 ~ (21?, oo). The associated projections computed from Appendix B are 



^ mi m2 

\ mi / \ m2 / 

a tensor product of projections. Hence the projections associated with Ca^fi are 
completely separable. 

The Gqio in Example 2 of Section 5 illustrates partial separability. Using 
010 as a subscript in place of u, v, Pqio ('"i^2^3) can be written as 



\ nil m2 / \ ms 



((-irv.)^ 



We describe this as (12) (3) separability. An examination of the remaining cases 
shows that Goo and Gqoo are completely separable, Gioo and Gioi are (1) (23) 



14 



and (13) (2) separable, respectively, and the remaining cases are completely 
inseparable. 

These separability properties are also apparent in the basis vectors. For 
example, in Theorem 4.2 the subspace Cao.o of V4 (Zp) can be written as a 
direct sum of two subspaces: 

Cao.o = span ((2, ao, 0, 0)) © span ((0, 0, 2D, ao)) . 

In Example 2 of section 5 the subspace Cqio of Vg {Z2) can be written as 

Coio = span ((100100) , (011100)) © span ((000011)) . 

The general case is the obvious extension to more indices and different vari- 
eties of separability. We limit ourselves to a bipartite factorization for simplicity, 
and we omit the proof. 

Theorem 6.1 Let Ii denote the indices of a subset of factors in Hi ® ■ ■ ■ ® Hn 

and let I2 denote the complementary factors. Suppose 

where the vectors in Cao...a„-i (Ik) have zero entries in the pairs of indices not 
indexed by Ik- Then the associated projections Pao...a„-i {f ) '""g (A, I2) separable 
and 

Pao...a„_i = Pao...a„_i [t (h)) © Pao...a„_i (r (h)) , 

where r (Ik) has non-zero components only in positions indexed by Ik- 
Finally, if 

Cao...a„-i — ©fe=lC'a(,...a„_i {Ik) , 

then the vectors in Cao...a„_i (Ik) have symplectic product zero and hence the 
associated spin matrices commute. The formal verification is easy, and we leave 
it to the reader to confirm that property for the examples described above. 
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A Projections of generalized spin matrices 

Here are the details for the projections associated with the Su- We recall the 
Definitions 13 . 31 and 13 . 41 and prove Proposition 13. 61 
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Proposition A.l When d is prime, {Pu (r) : < r < d} is a complete set of 
mutually orthogonal projections. 

Proof: We have 

rf-l /d-l \ 
Pu (r) (S) = ^ E E (««)"^" rj^-^^+snsra+n 
m=0 \n=0 / 

Consider two cases. Suppose < n < d—m—l. Define thy m < t = m+n < d—1 
and replace this part of the n-summation by the corresponding t-sunimation. If 
d — m < n < d, < t = m + n — d < m, and we have altogether 



^ d-l 

Pu{r)Pu{s)^^Y. 



d-l 



m — 1 



+d 



t=0 



Now a^+'^Sl^'^ = {auSuY atrf'^^i). By virtue of the definition of a„, air^'^^i) = 
1, and it is precisely for this reason that we chose the specific form of a„. It 
follows that 



d-l 



Pu{r)Pu{s)^^^Y.^aur]Su)'Y. 



i{t — s) 



When r ^ s, X]m=o '7™'''^ = 0. When r — s, the second summation equals d, 
and thus P,, (r) Pu{s) = 5{r,s) Pu (r) . 

It remains to show that (P„ [r))^ = Pu [r) , and again we need a^ry-''^''^) = \ 



, d-l 

{Pu{r))^ = ;tE"«"^"™''('?''^"^^> 







-mj. — mk 



2 /'rn' 



1 ^ g^-m^-mr^rn^jk-]k{'^)g_ 

("'^^) and the substitution n — d — m for 1 < m < d. 
i spin matrices, we obtain 

d-l 

^0,0 + E «"^"'^V'(^)^«„„fea-'^vK2) 



where we use m 

From the properties of the spin matrices, we obtain 

d-l 



n=l 



Pu{r). □ 



B Projections of tensor products of generalized 
spin matrices 

In Theorem 14.21 which solves the MUB problem for the bipartite case, we ob- 
tained classes of matrices of the form S2bo,aobo+aibiD ® S2biD,aobi+aibo where Oq 
and ai are fixed, and the bk's vary over Zp. Following the ideas used above, we 
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want to show how the projections for each class can be computed from the spin 
matrices in the class. From Lemma [2. 21 

^2bQ .aoha+aihiD Sb„{2,ao)Sb^iO,a^D) 

n C C —bQbi2Dai 

^2biD,aobi+aibo — ^bo{0,ai)^bi{2D,ao)V i 

SO that, up to powers of rj, matrices in this class are of the form 

Accordingly, set ui — (2, oo), U2 — (0, ai_D), vi = (0, ai), V2 ~ {2D,aQ). For 
simplicity let u denote (ui, U2), let v denote (wi, ^2) , and let r = (ri, r2). Up to 
the factor rj-^obi2Dai ^Yi^ matrices in the commuting class Ca^^ai have the form 

and this motivates the definition 

p„,. (0 ^ ^ E E "^-i ® ^-1)™' ('^''^"^ ® ^-^)'"' ■ 

mi 7712 

Proposition B.l i?ao,ai = {fu.u (f) ■ fi, ^2 £ ■^p} i/ie sei 0/ orthogonal pro- 
jections generated by the commuting unitary matrices indexed by Cao.ai- 

Proof: Expand P^^v {f) Pu,v (s) using m and n for the summation variables. 
Then check that 

since ui o U2 + vi o V2 = 0. Hence, P^.v (r) Pu,v (s) can be written as 

ki k2 

multiplied by E777i Em^ ^ follows that the product is 

Pu,v (r) if r = s, and otherwise. Clearly Pu,v (r) has trace 1 since only the 
mi ~ m2 = term contributes to the trace. We need to prove that P^^^ (r) = 
Pu,v {r) ■ This can be verified using the same techniques illustrated above and 
we omit the details. Finally it is easy to check that 

711 712 

where n — (71.1,712). 

Analogous results can be extended to the case of multiple tensor products 
using the same kind of reasoning. Since the only complication is notational, we 
omit the statements and proofs. 
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C Methodology for d = p^, p an odd prime 



Anticipating step 1 of Section 5, define the polynomial / {x) = — D, where 
D is chosen so that f{x) does not have a root in Zp. Now let A denote a root of 
f{x) in GF{p'^). (The analogue is the introduction of the symbol i to denote a 
root of f{x) — x'^ + 1, which does not have a root in the real numbers.) Following 
in] define the Galois field 

GF{p^)={j + kX:j,keZp} 

with coordinate-wise addition and multiplication mod p defined by 

{j + k\) + (a + bX) = [j + a) + {k + b)X 

{j + kX) (a + bX) = ja + Dkb + X {jb + ka) . 

In analogy with the definition of multiplication of complex numbers, X^ — D. In 
GF (p^) there are two distinct solutions of f {x) — : X and (p — 1) A where we 
need p > 2 to guarantee that these are indeed distinct elements in GF (p^) . The 
remaining exercise is to convince oneself that this produces a field of p^ elements. 
For example, {j — kX) (j^ — Dk^) is the multiplicative inverse of j + fcA, and 
one sees the importance of the choice of D to guarantee that — Dk^ ^ 0. 

Let V2 {GfIp^)) = {u = {a, (3) : a,l3 e GF{p^)} and define the symplectic 
product: 

uo u' = (3a' -~ a/3'. 

Proposition C.l Define subsets 0/ V2 {GF (p^)) for each a in GF (p^) 

C„ = {/3(l,0) + /3a(0,l)=/3(l,a) :/3eGF(p2)} 
Coo = {/3(0,1) :/3eGF(p2)}. 

Then these arep'^ + 1 sets, each of which has p^ vectors and only (0,0) is common 
to any two sets. If u and v are in the same set, u o v = 0. 

The proofs of the assertions above are exactly the same as those in Proposition 
13.21 Although we are using a different field, the arguments involving linear 
spaces are identical. 

Now for the second idea. V2 {GF (p^)) is a two-dimensional vector space 
over the extended field. GFijP') can be thought of as a two-dimensional space 
over Zp. Specifically, if a = ji +j2X and (} = ki-\- A;2A, then u = (a, /3) = a (1, 0) 
+(3 (0, 1) can be written as 

u = (ji-|-j2A)(l,0)-|-(A:i+A:2A)(0,l) 

= 31 (1,0) + J2A (1, 0) + fci (0, 1) + fcsA (0, 1) , 

which motivates the representation of V2(Gi^(p^)) as a four-dimensional vector 
space over Zp. However, to relate the symplectic product in V2(Gi^(p^)) to the 
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vector symplectic product in (|4.1|l . we take special basis vectors. Specifically, 
we define 

eo = (1, 0) , ei = {2D)-^ A (1, 0) , /o = (0, 1) , /i = A (0, 1) 

and use these so that 

[a, 13) = 2jieo + 2Dj2ei + fci/o + fcz/i. 

Proposition C.2 Let M fee the linear mapping from V2{GF{p^)) to V4 (Zp) 
defined by its action on and fr-: M (eo) = (1, 0, 0,0), M (ei) = (0, 0, 1, 0) , 
M(/o) = (0,1,0,0), M(/i) = (0,0,0,1). Then M is a Zp isomorphism — a 
one-to-one, onto mapping that preserves the linear structure. Using the notation 
above, w = M ((a, /?)) = {2ji,ki,2Dj2, fc2) ■ 

We are now ready to relate the symplectic structures of V2 {GF (p^)) and 
V4 {Zp). The point, of course, is that we want to define the classes Cao,ai of 
Theorem 4.1 in terms of the classes Ca of Proposition lC.il To do this, we need 
the idea of the trace of a field extension. This gets us into the details of finite 
field theory, but for the specific case at hand we can simply define it as follows. 
The two solutions of / (a:) = are by definition Ai = A and A2 = (p — 1) A , and 
the latter is just the additive inverse —A. Then define the linear function Tr as 
follows. 

Definition C.3 Tr {j + Xk) = J^l^i {j + Kk) = 2j. 

We now have all of the machinery we need for the case d = p^ . Furthermore, 
the same ingredients, suitably modified, work for d = p^ . 

Theorem C.4 Let z = {a, (3) e V2 {GF (p^)) and w = M{z) Then 

Wi o W2 ~ Tr {zi o Z2) . 

In particular, the class Ga in V2 [GF {p^)) maps to the class Gag.ai ^4 {Zp). 

Proof. If z = (a, [3) in the notation above, then zi — 2jieo+2£)j2ei+fci/o+fc2/i. 
Correspondingly, let Z2 = 2rieo + 2Dr2ei + si/o + S2/1. We can compute zi o Z2 
in terms of the e^'s and fk's. Now CjOCk = fjofk = and fooeo — 2^^ = /loei, 
since A^ {2D)^'^ = 2-^. Finally /o o ei = X2-^ and /i o eo = A {2D)^^ . Since 
Tr (2-1) = 1 and Tr (A) = A + (-A) = 0, we have 

Tr{zi o Z2) - (fci2ri - 2jiSi) + {k22Dr2 - 2Dj2S2) 

= (2ji, /ci) o (2ri, si) + {2Dj2, fc2) o {2Dr2, S2) 
= {2ji,ki,2Dj2,k2) o (2ri, si, 2Z?r2, S2) , 

which is wi o u;2 in V4 {Zp) as required. □ 

The definition of the e's and /'s gives Tr {fj o Ck) = 5 {j, k), and that was 
the point of defining the weights above. All of these techniques generalize, and 
details are outlined in Appendix D. 
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D Finite fields for d = p prime 

We summarize the theory of finite field extensions without proofs. For details 
see [SJ E]. GF (p^) denotes a finite field with elements that contains the 
field Zp as a subfield. Up to isomorphisms, GF (p") is unique and is defined 
using a polynomial 

/(x) = co + --- + c„_ix"-i+:e" (D.f) 

that is irreducible over the field Zp. One can also assume that / factors into a 
product 0^=1 ~ ^k) with n distinct roots in GF (p"). Using A to denote 
one of these roots, the theory guarantees that elements of GF (p") can be written 
as 

a — ao + aiA + ■ • • + a„_iA"^"^ : a/j G Zp. 

Addition in GF (p") is coordinate- wise and in multiplication, one makes use of 
A" = — (cq + CiA + . . . + c„_iA"~'^). Then the fact that / (x) has no roots in 
Zp is used to show GF (p") is a field. 

As an example, for d = 2^ it can be shown that / (x) = x'^ + x + 1 is the 
correct polynomial, since in Zp /(O) = 1 and /(I) = 1. Then 

GF{2^) = {0,1,A,A2 = A + 1}. 

It is easy to check that + a; + 1 = (x + A) (x + (A + 1)). 

Different irreducible polynomials can generate the same finite field, but their 
solutions may have different properties. For example, if p = 3 and n — 2, the 
polynomial / (x) = x'^ + 2x + 2 can be used instead of f{x) — x^ ~ D with 
D = 2. If a is a root of / (x) in GF (S^) , then \^a^is& root of / (A) = A^ - 2. 
As an exercise in the notation, one can confirm that a is a primitive root in the 
sense that all of the non-zero elements of GF (3^) can be written as powers of 
a. The theory guarantees primitive polynomials for finite fields, but we do not 
assume any properties of the generating irreducible polynomials beyond those 
set forth in the first paragraph of this section. 

The trace operation generalizes in the following way. 

Definition D.2 For each a — a (A) = oq + oiA + ■ • • + a„_iA"^^, 

n 

Tr (a) = ^a(Ar) , 

where the \r are the distinct roots of f {x) in GF{p^). 

For example, take GF (2^). Then Tr (1) = 0, Tr (A) = A + (A + 1) = 1, and 
Tr(A+ 1) = 1. 

From the representation of elements of GF (p"), GF (p") can be considered 
as an n dimensional space over Zp. Then V2 [GF (p")) can be written as a 2n- 
dimensional space over Zp. We define n of the basis vectors as fk — \^ (0, 1) , 
0<fc<n— 1, as before, and we want a dual basis consisting of vectors 

{ej=g,(A)(l,0):0<j<n-l} 
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that are linearly independent over and satisfy 

■n 

Tr (e, o A.) = Tr {g, (A) A'=) = ^ g, (A,) A^f = S {j, k) . 

r=l 

The remainder of this Appendix is devoted to deriving the form of gj (A) . Ex- 
amples in Section 5 illustrate the use of this machinery, and we follow the 
presentation in FTj. For an alternative method to compute the dual basis based 
on primitive polynomials see 

Since / (x) does not have multiple roots, / {x) and / {x) have no common 
non-constant factors and, in addition, / (A) ^ 0. From / [x) = IljLi ~ ^j)^ 
f (Ar) = Ylj^r i^r — Aj). With A denoting a generic root, one can check that 
there are values — dk (A) such that 

f (x) 

^do + dix^ h d„_ia;""^ 

a; — A 

Combining these results, we define 

Now if we set A = At for each of the n distinct roots, only the r = t term 
survives in the middle expression, so that (At) = ^t- By the general theory 
of polynomials over finite fields Fk {x) must then equal x^ . Thus 

and we have a key result. 

Proposition D.3 If Cj ~ gj (A) (1,0), where gj (A) dj (A) // (A), and fk = 
X'' (0, 1), then 

Tr [fk o ej] = S (j, r) , 
and the set {ej, fk} is linearly independent over Zp. 

It remains to show how to compute dj (A) . From (|D.1(I and / (x) = {x — \) {dQ+ 
dix + ■ • • + dn^ix"~^), dn-i = Cn = 1- It foUows for 1 < r < n that 

r-l 

dn—r — ^ ^ + r- 

3=0 

The highest order term of dn-r is A*""^. 
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